- From: eyeinsky <notifications@github.com>
- Date: Mon, 01 Mar 2021 00:06:49 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/869/787744494@github.com>
Some more clarifications: > I understand and am aware that the core of the concern seems to be that because of the current preflight behavior, it means that if you’re serving TLS to a browser, you cannot rely on mandating transport level authentication, and must leave it optional, dealing with it at a request level (authenticating individual requests for resources). Setting aside all the other problematic aspects of mTLS (e.g. prompting, renegotiation, rejection for inadequate security), the current behavior preserves HTTP semantics and aligns with the HTTP authentication model. Moving to enable pure transport auth, which is what enabling it for preflights would do, moves away from those semantics, from other auth methods, and from all of the efforts to improve the mTLS experience (such as the aforementioned spec efforts). The client certificate prompt should appear on the first request made to the server -- I don't want any of the renegotiation, authentication of individual requests that you mention. (And AFAIK, it's not supported with the latest TLS anyway) I'd just like a prompt on the preflight, similar to how it successfully happens when I `GET` or `POST` the same API. > In theory, yes, but a number of such features exist because “in practice” this is not the case, and servers are ill-prepared (e.g. examining the message semantics while ignoring the request method used). Part of the reason for the preflight in the first place was to make sure that the server does understand the semantics and handles appropriately, and the omission of credentials prevents against confused deputy issues. I don't think this is a reason. If the standards body doesn't take a stand then who will? And also, you're not adding any security because the attacker can launch missiles with a simple `GET` already, no need to trigger a preflight. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-787744494
Received on Monday, 1 March 2021 08:07:02 UTC